Commit Graph

37630 Commits

Author SHA1 Message Date
VectorPeak
f8c7f67bde fix(ai): reject non-finite tool schema numbers (#104470)
* fix(ai): reject non-finite tool schema numbers

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix(ai): catch non-finite values from tool schema serializers

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>

* test(ai): cover nested tool schema serializers

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix(ai): satisfy schema projection lint

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix(ai): satisfy schema projection lint

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

* fix(ai): preserve empty-key schema diagnostic paths

* fix(ai): reject boxed non-finite schema numbers

* fix(ai): ignore spoofed boxed-number tags

* fix(ai): isolate boxed-number brand probes

* refactor(ai): use intrinsic boxed-number detection

---------

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 14:50:54 -07:00
Josh Lehman
0a8e3604ba refactor: flip sessions and transcripts to sqlite storage (#98236)
* refactor(sessions): migrate runtime storage to sqlite

* test(sessions): fix sqlite CI regressions

* test(sessions): align remaining sqlite fixtures

* fix(codex): require sqlite trajectory recorder

* test(sessions): align orphan recovery sqlite fixture

* test(sessions): align sqlite rebase fixtures

* fix(sessions): finish current-main integration of the sqlite flip

Resolve the whole-store SDK removal across its owner boundary: drop the
loadSessionStore re-export and the registry whole-store wrappers, wire
hasTrackedActiveSessionRun into gateway chat, complete the
preserveLockedHarnessIds cleanup contract, flip the codex thread-history
import to storePath targets, and port remaining main-side tests from
file-store helpers to session accessor reads.

* chore: drop committed pebbles log, revert plugin-inspector bump, refresh generated docs

Remove the 1.8k-line .pebbles/events.jsonl work log from the branch, restore
the plugin-inspector advisory lane to main's pinned 0.3.10 so the supply-chain
bump gets its own review, and regenerate docs_map, the plugin SDK API baseline,
and the export-surface ratchet for the merged tree.

* feat(sessions): keep archived transcripts by default with zstd cold storage

Codex-style retention: deleting or resetting a session archives its
transcript as a zstd-compressed JSONL artifact (plain when the runtime
lacks node:zlib zstd) and keeps it until the disk budget evicts oldest
first. resetArchiveRetention now governs both deleted and reset archives
and defaults to keep; maxDiskBytes defaults to 2gb so retention stays
bounded, with archives evicted before live sessions. The cron reaper
follows the same knob instead of deleting archives on its own timer.

* fix(state): converge agent DB migration lineages and bound database growth

Merge coherence: run both structure-gated legacy memory-schema repairs
(flip-lineage drop, main-lineage identity rebuild) before the flip
migration so pre-flip v1/v2 and pre-merge flip v1/v4 databases all
converge, and hoist foreign_keys=OFF outside the schema transaction
where the pragma was silently ignored and the v1 sessions rebuild
cascade-deleted session_entries.

Growth guards: fresh agent DBs enable auto_vacuum=INCREMENTAL, WAL
maintenance releases freed pages in bounded passes (never a blocking
full VACUUM), and doctor reports state/agent DB bloat from freelist
stats.

* fix(codex): resolve the store path for thread-history import via the SDK

The supervision catalog passed the legacy sessionFile locator to the
storePath-targeted transcript mirror; resolve the agent store path with
the session-store SDK helper instead of a runtime-object seam so test
fakes and headless callers need no extra surface. Drop the obsolete
missing-session-id preprocessing case: sessions rows are NOT NULL on
session_id and upsert repairs id-less patches at write time.

* fix(sessions): fail safe on malformed disk-budget config and doctor stat errors

A malformed explicit maxDiskBytes disables the budget instead of
falling back to the destructive 2gb default the user never chose, and
the doctor bloat check skips databases whose paths stat-fail instead of
aborting doctor.

* fix(sessions): complete sqlite conflict translations

* test(sqlite): align hardening checks with maintenance

* test(sessions): inspect compressed transcript archives

* fix(tests): await session seeds and drop unused helpers flagged by CI lint

The five unawaited writeSessionStoreSeed calls raced their SQLite seeds
against the assertions, failing compact shards; the bloat probe drops a
useless initializer and the merged tests drop now-unused helpers.

* test(sessions): type legacy proof events directly

* test(sessions): align hardening contracts

* perf(sessions): read usage transcript sizes from SQL aggregates

Usage/cost scans walked every session and materialized every transcript
event just to re-stringify it for a byte estimate — the #86718 stall
class reborn on the DB. readTranscriptStatsSync sums stored JSON bytes
in SQLite without loading a single row.

* fix(sessions): re-root foreign-root transcript paths onto the current sessions dir

Restored backups, moved OPENCLAW_STATE_DIR, and rehearsal copies carry
absolute sessionFile paths from the old root; the containment fallback
kept those foreign paths, so migration read (and would archive) files in
the original root and reported local copies missing. Re-root the
canonical agents/<id>/sessions suffix onto the current dir when the file
exists there; genuine cross-root layouts still fall through unchanged.

* test(agents): seed harness admission through sqlite

* fix(sqlite): close agent db on pragma setup failure

* fix(doctor): compact and retrofit incremental auto-vacuum after session import

The migration is the sanctioned offline window: post-import compact
reclaims import churn and applies auto_vacuum=INCREMENTAL to databases
created before the fresh-DB pragma existed, so runtime maintenance can
release pages in bounded passes on every install.

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 14:50:37 -07:00
chenyangjun-xy
26e1b18a9b fix(attempt-execution): use truncateUtf16Safe for summary text truncation (#104454)
* fix(attempt-execution): use truncateUtf16Safe for summary text truncation

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(agents): cover fallback summary UTF-16 boundary

* test(agents): cross fallback summary truncation budget

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 14:38:19 -07:00
NIO
4b27de4ddb fix(gateway): keep worker SSH tunnel stderr tails UTF-16 safe (#104621)
* fix(gateway): keep worker SSH tunnel stderr tails UTF-16 safe

* refactor(gateway): simplify bounded SSH diagnostics

* refactor(gateway): use shared UTF-16 tail slicing

---------

Co-authored-by: NIO <nocodet@mail.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 14:37:11 -07:00
wings1029
14b95c7552 fix(write): report actual UTF-8 byte count in success message (#104560)
* fix(write): report actual UTF-8 byte count in success message

Replace string.length (UTF-16 code units) with Buffer.byteLength(content, 'utf8')
so the reported byte count matches the actual bytes written to disk.

For ASCII content the values are identical. For non-ASCII content (CJK, emoji),
string.length underreports — e.g. '你好' reports as 2 bytes but is actually 6.

* refactor(write): centralize success reporting

* test(write): avoid shadowing recovery fixture

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 14:24:41 -07:00
mushuiyu886
b2702156ac fix(agents): preserve UTF-16 boundaries in bootstrap context (#104423) 2026-07-11 14:07:47 -07:00
mushuiyu886
1c576a2713 fix(cron): preserve UTF-16 boundaries in exec tails (#104385) 2026-07-11 14:04:04 -07:00
Peter Steinberger
b80ab618c3 feat(cloud-workers): authenticated worker protocol with closed ingress and minted credentials (#104688)
* feat(cloud-workers): add authenticated worker protocol

* feat(cloud-workers): add worker credential primitives

* docs(gateway): document closed worker protocol

* test(cloud-workers): keep protocol fixtures lean

* fix(cloud-workers): bound live worker connections

* fix(cloud-workers): close admission and cleanup gaps

* docs: regenerate docs map for worker protocol page
2026-07-11 13:45:14 -07:00
Peter Steinberger
c48ed95533 feat(ui): merge Instances into a unified Devices page (#104561)
* chore(i18n): regenerate locale bundles for Devices rename

* chore(i18n): regenerate locale bundles for Devices rename

* chore(i18n): sync locale metadata for Devices rename

* fix(gateway): stop tracking ephemeral control-plane clients in presence

* feat(ui): merge Instances into a unified Devices page

* docs: point Instances references at the unified Devices page

* chore(i18n): reconcile locale metadata after rebase

* fix(gateway): keep test-mode clients tracked in presence; refresh docs map
2026-07-11 13:36:07 -07:00
Peter Steinberger
aee938273c fix(sessions): preserve cancelled terminal outcome detail in the session state signal log (#104676) 2026-07-11 13:35:44 -07:00
Peter Steinberger
a366218cf4 fix(gateway): retain detached hook admission (#104686) 2026-07-11 13:33:26 -07:00
Peter Steinberger
262baedcf7 test(agents): isolate full-suite shared state (#104682) 2026-07-11 13:28:21 -07:00
Peter Steinberger
8fe6ac7fb9 refactor: remove pre-2026.4 compatibility shims and legacy migrations (#104650)
* refactor(matrix): retire pre-2026.4 legacy crypto and flat-storage migrations

* refactor(cli): drop pre-tsdown daemon-cli dist compat shim from the build

* refactor(diffs): remove deprecated image*/format tool params and output aliases

* refactor(ui): drop pre-gateway-scoped localStorage readers and legacy theme map

* refactor: remove assorted pre-2026.4 compat shims and deprecated aliases

* fix(discord): map legacy thread-binding fields in the doctor JSON import

* fix(msteams): keep bot read fallback for legacy imported conversation rows

* test(msteams): cover legacy bot-only imported conversation references

* fix(ui): keep channel-prefixed session key display fallback

* chore: refresh native i18n inventory and build-docker step count

* chore(matrix): drop now-unused migration-config module

* chore: re-pin plugin SDK public export budget after compat removals

* chore: refresh native i18n inventory after rebase

* chore: re-pin plugin SDK callable budget and refresh i18n inventory after rebase
2026-07-11 13:22:27 -07:00
Peter Steinberger
a89e6d9870 refactor(channels): migrate internal callers off deprecated reply facades (#104673) 2026-07-11 13:15:16 -07:00
Peter Steinberger
7a466b33f3 feat: add metadata-only message audit events (#103903)
* feat: add metadata-only message audit events

* chore(protocol): restore generated swift models and config baseline after rebase

* fix(state): gate agent-db ownership check before schema version

* fix(cli): sync audit command description into the root-help catalog

* fix(audit): require destination proof before classifying outbound messages as direct

* refactor(audit): drop dead migration guard and add contract comments

* docs(gateway): add dedicated audit history page and cross-links

* test(e2e): enable direct-mode message audit in the telegram proof SUT config

* test(channels): expect declared conversationKind in durable delivery session context

* fix(audit): record the routing channel id for inbound rows from plugin channels

* fix(audit): match channel-prefixed delivery targets in the destination route gate

* fix(audit): validate explicit target kind against the destination route kind

* fix(audit): use the canonical target-prefix grammar in the destination route gate and fail closed on foreign migration tables

* fix(audit): normalize nested provider and kind target prefixes in the destination gate

* fix(audit): strip registered provider aliases and the direct kind prefix in the destination gate

* chore(docs): refresh config baseline after rebase
2026-07-11 13:14:08 -07:00
Peter Steinberger
e34bff2276 refactor(plugin-sdk): collapse internal config-schema facade usage onto one module (#104665) 2026-07-11 13:00:53 -07:00
Peter Steinberger
8310c565e0 feat(onboarding): add provider sign-in (#104502)
* feat(onboarding): add provider sign-in flows

* fix(oauth): keep callback compatibility

* fix(onboarding): reconcile lost auth outcomes

* fix(onboarding): lock auth cancellation at commit

* fix(onboarding): close provider auth lifecycle gaps

* fix(onboarding): make terminal auth failures dismissable

* fix(onboarding): satisfy native app checks

* fix(onboarding): reconcile absent auth sessions

* fix(onboarding): bound provider auth sessions

* fix(onboarding): open provider auth links safely

* test(onboarding): use scanner-safe auth fixtures

* revert: keep established onboarding auth fixtures

* fix(onboarding): close provider auth cancellation gaps

* fix(gateway): retain uncollected wizard results

* fix(onboarding): bind provider reconciliation attempt

* fix(i18n): avoid guessing moved string identities

* style(onboarding): normalize remote auth choices efficiently

* fix(protocol): refresh optional provider auth choices

* test(gateway): cover provider auth dispatch order

* refactor(macos): split onboarding setup support

* fix(macos): refresh merged native checks
2026-07-11 13:00:17 -07:00
Peter Steinberger
a6c7f2f4b7 fix(agents): make indexed access explicit across src/agents (#104670)
Burns down all 517 noUncheckedIndexedAccess errors (91 files) with
behavior-identical restructuring: iteration/.entries(), .at()/charAt,
destructuring, regex/split guards, explicit invariant failures. Stream
transports keep event ordering and payloads identical; bash host phases
preserve argv ordering and approval binding. Latent bug fixed: two
agent-command sites spread a possibly-undefined session entry into a
persisted SessionEntry ({...undefined} -> {}); they now fail loudly.
Sparse transcript messages are dropped-and-marked instead of propagated.
2026-07-11 13:00:07 -07:00
Peter Steinberger
ff1c29eaf9 feat(fleet): stream tenant cell logs through the supervisor (#104669) 2026-07-11 12:59:29 -07:00
Yuval Dinodia
c05270a980 fix(agents): protect provider auth exchange output by sensitivity, not input marker (#104547)
* fix(agents): protect provider auth exchange output by sensitivity, not input marker

protectPreparedProviderRuntimeAuth decided whether to protect a credential from
the shape of the input sourceApiKey: if the input was not a sentinel and not
registered for redaction it returned the exchange output untouched. That
assumes output sensitivity mirrors input sensitivity, which is false for any
provider that turns a non-secret marker into a real credential.

The bundled amazon-bedrock-mantle plugin hits this live: its stored apiKey is
the marker __amazon_bedrock_mantle_iam__ (not declared in nonSecretAuthMarkers,
so resolved raw), and its prepareRuntimeAuth mints a real IAM-derived Bedrock
bearer token. That real token flowed through the guard unprotected, so it was
stored and logged unredacted.

Gate protection per output value instead: skip empty values and non-secret
markers, protect everything else. Sibling providers that echo their own markers
(ollama-local, lmstudio-local, codex-app-server, gcp-vertex-credentials) are
unaffected. Drops the now-dead sourceApiKey parameter and its call sites.

* test(agents): assert sentinel storage and egress restoration for protected provider auth

* test(agents): assert protected runtime auth state

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 12:57:16 -07:00
Peter Steinberger
cc4425eb4c fix(gateway): demote clean local startup closes (#104655) 2026-07-11 12:44:24 -07:00
NIO
589f1c00de feat(security): audit open ingress control-plane tool exposure (#100965)
* fix(security): audit open control-plane exposure

Co-authored-by: NIO <nocodet@mail.com>

* chore: keep sweep changelog neutral

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: NIO <nocodet@mail.com>
2026-07-11 12:36:37 -07:00
Qiyuan Zhang
abd6cbbae1 fix: preserve tool-result text across media fallback and context pressure (#99756)
* fix: keep text tool results ahead of stale media placeholders

* fix(agents): preserve fresh results before runtime context

* fix(agents): defer fresh results during aggregate recovery

* fix(google): preserve omitted media fallback

* fix(openai): preserve omitted media fallback

* fix(agents): narrow tool-result recovery scope

* fix(agents): keep one fresh-result recovery path

* chore: keep sweep changelog neutral

---------

Co-authored-by: AcosX <AcosX@users.noreply.github.com>
Co-authored-by: Acos_X <acos_x@AcosXMacBook-Pro.local>
Co-authored-by: Colin Johnson <colin@solvely.net>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 12:35:19 -07:00
Shakker
cc07451a57 docs: document centered chat layout 2026-07-11 20:33:52 +01:00
Song Zhenlin
416d113a2c fix(utils): use UTF-16 safe truncation for long URL timeout logs (#104301)
* fix(utils): use UTF-16 safe truncation for long URL timeout logs

* test(utils): cover UTF-16 timeout log boundaries

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 12:27:03 -07:00
Peter Steinberger
2bb79d10fd feat: parents get durable state-change notices when humans interact with child sessions (#104636)
* feat(sessions): durable session state events with parent invalidation

Parents no longer act on stale child-session state: a durable, typed
signal log (session_state_events + per-agent heads) records direct human
messages to children, child spawn/terminal outcomes, goal changes, and
compaction at the seams where those facts are created. A frozen-watermark
cursor protocol (session_watch_cursors) delivers one coalesced system
notice to the parent through the existing system-event + heartbeat wake
idiom, acknowledged at the shared generic drain, with a deferred startup
sweep for restart recovery. session_status gains stateVersion and
changesSince (with exact pruned-history gap signaling); sessions_list
rows gain stateVersion.

Closes #104565

* chore: regenerate docs map and prompt snapshots for session_status changesSince
2026-07-11 12:19:02 -07:00
moguangyu5-design
aa12e71de7 fix(outbound): preserve attributed inline formatting (#104118)
* fix(outbound): preserve backticks on <code> tags with attributes

The plain-text sanitizer only matched bare <code> openers, so attributed
variants such as <code class="language-ts"> lost their backtick wrapping
and were stripped to raw text before channel delivery.

Allow optional attributes on the opening <code> tag, consistent with the
existing handling for <h[1-6]> and <li> in the same function.

Fixes #104117

* fix(outbound): preserve attributed inline formatting

Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>

* test(outbound): compact attributed tag coverage

* fix(outbound): normalize attributed formatting tags

* docs(outbound): clarify attribute normalization invariant

* fix(outbound): preserve native formatting semantics

* docs(plugin-sdk): document sanitizer markup styles

* docs(plugin-sdk): refresh docs map

---------

Co-authored-by: moguangyu5-design <moguangyu5-design@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Co-authored-by: chengzhichao-xydt <chengzhichao-xydt@users.noreply.github.com>
2026-07-11 12:03:11 -07:00
Peter Steinberger
78fca7b0c4 fix(gateway): demote startup close transport races (#104625)
* fix(gateway): demote startup close transport races

* fix(gateway): remove stale startup close import
2026-07-11 11:49:27 -07:00
Peter Steinberger
6bd14d9129 test(channels): extend bundled artifact parity and add plugin-shape contract suite (#104618) 2026-07-11 11:44:34 -07:00
Peter Steinberger
7193d29c92 fix(gateway): demote expected startup socket aborts (#104610)
* fix(gateway): demote expected startup socket aborts

* fix(gateway): retain queued-frame startup warnings
2026-07-11 11:27:21 -07:00
Peter Steinberger
5a5424474d feat(fleet): multi-tenant hosting via openclaw fleet cell supervisor (#104527)
* feat(fleet): add openclaw fleet cell supervisor for multi-tenant hosting

* test(fleet): cover cell profile, registry, containers, and service flows

* docs(fleet): document multi-tenant hosting and the fleet CLI

* fix(fleet): verify upgrade replacements and release foreign-collision reservations

* fix(fleet): gate upgrade commit on replacement health

* docs(fleet): mark fleet experimental and pin its single-host scope

* test(fleet): make incomplete-profile casts explicit for test-type lane

* fix(state): regenerate kysely schema artifacts after rebase conflict
2026-07-11 11:24:04 -07:00
Peter Steinberger
ea2b558e5e fix(browser): prevent stale profile resurrection (#104601)
* fix(browser): serialize profile lifecycle

* refactor(browser): tighten lifecycle cleanup

* chore(browser): keep release note in PR

* test(browser): keep temp fixtures inside plugin

* test(browser): use preferred temp root
2026-07-11 11:06:07 -07:00
Peter Steinberger
d4adddbe9c refactor(retry): add full-jitter mode and adopt it for mattermost client retries (#104594) 2026-07-11 10:56:54 -07:00
mushuiyu886
92870e5200 fix(agents): preserve UTF-16 boundaries in block chunks (#104441)
* fix(agents): preserve UTF-16 boundaries in block chunks

* refactor(agents): import UTF-16 helper from leaf module

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 10:56:05 -07:00
Peter Steinberger
e9b7a9a912 fix(memory): search by filenames and paths (#104449)
Co-authored-by: Pick-cat <huang.ting3@xydigit.com>
2026-07-11 10:54:34 -07:00
Eave Luo
dc18b0df1e fix(gateway): allow macOS app platform version refresh without re-pairing (#89702)
* fix(gateway): allow macOS app platform version refresh without re-pairing

When macOS updates (e.g. 26.5.0 → 26.5.1), the Mac app detects a
platform mismatch against its paired record and sends a repair request.
The approval dialog enters an infinite loop because the pending request
TTL (5 min) expires before the user clicks Approve, causing "unknown
requestId" errors that trigger a new repair request ad infinitum.

iOS and Android already had silent platform version refresh via
normalizeMobileAppPlatformPin — this extends the same treatment to the
macOS native app by recognizing "macos X.Y.Z" as the same platform
family regardless of version, renaming the helper to
normalizeNativeAppPlatformPin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(gateway): validate macOS platform version refreshes

* fix(gateway): avoid native platform family marker collisions

* test(gateway): type node client name

---------

Co-authored-by: 骆毅 <luoyifu.lyf@digital-engine.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 10:52:27 -07:00
xingzhou
04037e35c0 fix(chat): tool titles corrupt boundary emoji in long inputs (#104464)
* fix(chat): tool titles corrupt boundary emoji in long inputs

* test(chat): simplify UTF-16 title boundary coverage

* test(chat): satisfy title boundary lint

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 10:45:04 -07:00
Peter Steinberger
b6e95201f8 fix(cron): retain detached manual run admission (#104595) 2026-07-11 10:36:26 -07:00
Peter Steinberger
96f0983a85 fix(onboarding): skip setup for configured gateways and require inference first (#102883)
* fix(crestodian): keep onboarding RPCs restart-safe

* fix(profiles): isolate approval state migrations

* fix(crestodian): bypass configured gateway setup

* test(crestodian): type onboarding mocks

* fix(onboarding): require inference before Crestodian

* fix(onboarding): enforce verified inference handoff

* fix(macos): reset setup on gateway endpoint edits

* chore(i18n): refresh native source inventory

* fix(gateway): keep socket on request cancellation

* test(packaging): require workspace templates

* fix(onboarding): bind setup to verified inference

* fix(onboarding): align inference gate contracts

* fix(crestodian): classify concurrent policy rejection

* test(crestodian): expect registry restoration

* fix(onboarding): bind setup to configured gateways

* fix(codex): preserve startup phase deadlines

* test(crestodian): match fail-closed policy ordering

* test(onboarding): assert bound gateway handoff

* fix(codex): bind runtime resolution to spawn cwd

* test(crestodian): assert policy rejection order

* fix(cli): preserve gateway routing across restarts

* fix(macos): fail closed during gateway edits

* test(macos): cover gateway route generation races

* chore: keep release notes out of onboarding PR

* fix(ci): refresh onboarding generated checks

* style(swift): align gateway channel formatting

* fix(ci): refresh plugin SDK surface budgets

* fix(ci): resync native string inventory

* refactor(swift): split gateway channel support

* test(doctor): isolate plugin compatibility registry

* test(macos): isolate gateway onboarding fixtures

* test(macos): assert gateway lease health ordering

* fix(codex): reconcile computer-use startup changes
2026-07-11 10:25:14 -07:00
Peter Steinberger
49b5b862ac feat: node-hosted plugins — dynamic tools, MCP servers, and skills (#90431)
* feat: node-hosted plugins — dynamic tools, MCP servers, and skills

Nodes become declarative plugin hosts:
- node.pluginTools.update: node hosts publish plugin-registered agent tool
  descriptors; gateway materializes them as agent tools executing via
  node.invoke under the node command allowlist, with tools.effective
  invalidation and node online/offline removal.
- Trusted paired-node descriptors: no gateway-side plugin registration
  required; gateway.nodes.pluginTools.enabled off-switch (default on);
  description/count caps; deterministic node-prefixed collision names.
- Declarative node-hosted MCP: nodeHost.mcp.servers (McpServerConfig shape)
  starts MCP clients on the node host, publishes tools as pluginId node-mcp,
  executes via built-in mcp.tools.call.v1 with per-layer timeouts, failure
  isolation, and orphan-safe shutdown. No re-pairing when servers change.
- Node-hosted skills: node.skills.update publishes ~/.openclaw/skills
  content (64 skills/64KB/512KB caps both sides); gateway merges them into
  the skills snapshot while connected and exec host=node is available, with
  node:// locators, node-prefixed collisions, disabled command dispatch,
  and gateway.nodes.skills.enabled + nodeHost.skills.enabled switches.
- Security: node-supplied pluginIds cannot satisfy pluginId-scoped tool
  allowlists unless gateway-registered; reserved node-mcp id requires the
  core MCP descriptor shape; protocol registry kept out of public
  plugin-sdk dts.
- E2E: pond harness proves publication, MCP round-trip, skills locator, and
  disconnect/reconnect for all three surfaces.

* style: format node-plugin-tools test

* fix(skills): keep status loader unfiltered when eligibility is passed

skills.status started passing eligibility for the node-skill merge, which
flipped loadWorkspaceSkillEntries into filtered mode and dropped disabled
skills from status reports (QA plugin-lifecycle-hot-reload timeout). Status
now merges node skills explicitly around an unfiltered load. Also: regen
docs_map for new node docs sections; add the intentional node-host MCP
onclose suppression to the lint-suppression allowlist.
2026-07-11 10:16:34 -07:00
qingminlong
183139f3ed fix(nodes): reject malformed media payloads when base64 is invalid (#104414)
* fix(nodes): reject malformed media base64 payloads

* fix(nodes): keep media base64 size preflight

* refactor(nodes): reuse shared base64 boundary

Co-authored-by: qingminlong <qing.minlong@xydigit.com>

* docs(changelog): note node media validation

* chore: leave changelog to release automation

* test(nodes): cover empty invalid media payloads

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-11 10:11:09 -07:00
NIO
58ef98ec13 fix(agents): keep scp stderr tail UTF-16 safe end-to-end (#104148)
Co-authored-by: NIO <nocodet@mail.com>
2026-07-11 13:07:12 -04:00
Yuval Dinodia
68c18caca0 fix(node-pairing): require operator.admin to approve browser.proxy nodes (#104491)
Approving a node whose pairing surface advertises browser.proxy only required
operator.write, while invoking browser.proxy already requires operator.admin
(server-methods/nodes.ts). resolveNodePairApprovalScopes bumped the approval
scope to operator.admin only for NODE_SYSTEM_RUN_COMMANDS, so a write-scoped
operator could trust a browser.proxy-capable node that later routes bundled
browser-tool traffic. Add NODE_BROWSER_PROXY_COMMAND to the admin-approval set
so approval scope matches the invoke-time gate.
2026-07-11 09:58:00 -07:00
NIO
8cf88bfa12 fix(plugins): bound hosted catalog feed reads on non-streaming responses (#101000)
Co-authored-by: NIO <nocodet@mail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-11 12:41:51 -04:00
Peter Steinberger
57af2bbff0 fix: clear remaining release validation blockers (#104555)
* test: align provider tool call lifecycles

* test: isolate plugin install repair migrations

* fix: accept catalog temperature compatibility

* fix: disable GPT-5.6 tool reasoning on completions

* style: avoid shadowed stream model
2026-07-11 09:32:16 -07:00
Peter Steinberger
5ca46a6554 feat(cloud-workers): pinned SSH tunnel runtime and provider-owned key resolution (#104553)
* feat(cloud-workers): add pinned SSH tunnel runtime

* feat(crabbox): resolve cloud worker SSH identities

* docs(cloud-workers): document SSH tunnel contracts
2026-07-11 09:26:08 -07:00
Peter Steinberger
934a974c29 feat(slack): support native data visualizations (#104539) 2026-07-11 09:18:39 -07:00
Ayaan Zaidi
4b33199a65 refactor(agents): converge run staleness policy onto diagnostic activity owner
One RUN_STALE_TAKEOVER_MS constant and one resolveRunStaleThresholdMs in
diagnostic-run-activity.ts replace the hand-paired constants and duplicated
blocked-tool-floor derivations in the reply and embedded run registries.
Thresholds are byte-identical before and after; zero behavior change.

Part of #104219 (seam 4).
2026-07-11 20:59:37 +05:30
Peter Steinberger
c3b426f280 feat: add Claude session fleet (#104528)
* feat: add Claude session fleet

* chore: leave release notes to release automation

* chore: refresh generated catalogs

* fix: satisfy session catalog lint gates
2026-07-11 08:22:59 -07:00
Peter Steinberger
03cab29505 feat(cloud-workers): worker bundle production, pinned SSH bootstrap, and admission handshake (#104532)
* feat(gateway-protocol): add worker admission handshake

* feat(cloud-workers): build and bootstrap worker bundles

* feat(cloud-workers): wire bootstrap lifecycle

* fix(cloud-workers): state host-key TOFU fallback without warning-comment suppression

* test(cloud-workers): assemble host-key fixture to satisfy review secret scanner

* test(cloud-workers): assemble redaction fixture to satisfy review secret scanner

* fix(cloud-workers): require pinned SSH host keys

* fix(state): add ssh_host_key to additive worker_environments migration
2026-07-11 08:14:30 -07:00